[Jython-bugs] [issue1199] zipimporter should be smarter about what
files it tries to access

New submission from Ethan Glasser-Camp <ethan@...>:
The zipimporter.zipimporter constructor does some path exploration to
find out if it was given a path that is "contained" in a zip file. Right
now if it gets the path:
/some/path/archive.zip/jython/modules/foo.py
It walks up this path looking for an object that is a regular file. So,
it tries:
/some/path/archive.zip/jython/modules/
/some/path/archive.zip/jython/
/some/path/archive.zip
And then stops, since it has found a regular file. However, for paths
that are not contained in zip files, such as this:
/some/path/to/a/project/jython/Lib/foo.py
It will walk up the directory hierarchy, but never find a regular file:
/some/path/to/a/project/jython/Lib/
/some/path/to/a/project/jython/
/some/path/to/a/project/
/some/path/to/a/project/
/some/path/to/a/
/some/path/to/
/some/path/
/some/
We're trying to sandbox Jython and so use the JVM SecurityManager to
prohibit access to most files -- as a result, this directory climbing is
inconvenient for us. It seems to me that if you find that the path is
not a regular file, but does exist, then it must not be contained in any
zip files, so you can bail immediately. Does this change sound OK?
----------
components: Core
messages: 3906
nosy: ethan-10gen
severity: normal
status: open
title: zipimporter should be smarter about what files it tries to access
versions: 2.5.1
_______________________________________
Jython tracker <report@...>
<http://bugs.jython.org/issue1199&gt;
_______________________________________

Thread view

New submission from Ethan Glasser-Camp <ethan@...>:
The zipimporter.zipimporter constructor does some path exploration to
find out if it was given a path that is "contained" in a zip file. Right
now if it gets the path:
/some/path/archive.zip/jython/modules/foo.py
It walks up this path looking for an object that is a regular file. So,
it tries:
/some/path/archive.zip/jython/modules/
/some/path/archive.zip/jython/
/some/path/archive.zip
And then stops, since it has found a regular file. However, for paths
that are not contained in zip files, such as this:
/some/path/to/a/project/jython/Lib/foo.py
It will walk up the directory hierarchy, but never find a regular file:
/some/path/to/a/project/jython/Lib/
/some/path/to/a/project/jython/
/some/path/to/a/project/
/some/path/to/a/project/
/some/path/to/a/
/some/path/to/
/some/path/
/some/
We're trying to sandbox Jython and so use the JVM SecurityManager to
prohibit access to most files -- as a result, this directory climbing is
inconvenient for us. It seems to me that if you find that the path is
not a regular file, but does exist, then it must not be contained in any
zip files, so you can bail immediately. Does this change sound OK?
----------
components: Core
messages: 3906
nosy: ethan-10gen
severity: normal
status: open
title: zipimporter should be smarter about what files it tries to access
versions: 2.5.1
_______________________________________
Jython tracker <report@...>
<http://bugs.jython.org/issue1199&gt;
_______________________________________